Keep on rating – on the systematic rating and comparison of authentication schemes

Six years ago, Bonneau et al. (2012) proposed a framework to compare authentication schemes to the ubiquitous text password. Even though their work did not reveal an alternative outperforming the text password on every criterion, the framework can support decision makers in finding suitable solutions for specific authentication contexts. The purpose of this paper is to extend and update the database, thereby discussing benefits, limitations and suggestions for continuing the development of the framework.

This paper revisits the rating process and describes the application of an extended version of the original framework to an additional 40 authentication schemes identified in a literature review. All schemes were rated in terms of 25 objective features assigned to the three main criteria: usability, deployability and security.

The rating process and results are presented along with a discussion of the benefits and pitfalls of the rating process.

While the extended framework, in general, proves suitable for rating and comparing authentication schemes, ambiguities in the rating could be solved by providing clearer definitions and cut-off values. Further, the extension of the framework with subjective user perceptions that sometimes differ from objective ratings could be beneficial.

The results of the rating are made publicly available in an authentication choice support system named ACCESS to support decision makers and researchers and to foster the further extension of the knowledge base and future development of the extended rating framework.